《CloudNativeSecurityCon_2023_Parsec_Attestation.pdf》由会员分享,可在线阅读,更多相关《CloudNativeSecurityCon_2023_Parsec_Attestation.pdf(15页珍藏版)》请在三个皮匠报告上搜索。
1、Paul Howard,Principal System Solutions Architect,ArmTaming Attestation for the Cloud-Native World With ParsecWho Am I?Paul HowardPrincipal System Solutions Architect at Ahttps:/cf.io/https:/ SessionContextAndIntroductionAttestationEvidenceAndVerificationApplicationsOfAttestationTLSThe Cloud-Native E
2、dgeGateway ModelCloud-Native Edge ModelDataActionsDataActionsDataActionsInsightsActionsEmbedded workloadsSingle applicationProtocol translationLow compute powerCompute-capableContainersCI/CDML/AnalyticsSensor Fusion(High Volume)(High Value)Cloud-Native Edge SecurityCloud-Like DevelopmentIoT-Like Sec
3、urity Rich Workloads in High-Level Languages CI/CD Multi-Tenancy Tamper-Prone Environments Platform Diversity Hardware-Backed SecurityTPMHSMSECUREELEMENT Containers/Orchestration Low-Level,Device-Specific APIs(requiring specialist,non-portable engineering)EdgeISOLATEDSERVICESParsec Simplifies Hardwa
4、re SecurityApplication CodeVendor-specific libraries,shims and toolsPKCS#11 StandardDiverse Platform Hardware/RoTApplication CodeNative,shim-free integrations(continuously maintained and improved)Diverse Platform Hardware/RoTConvenient API in any languageThe Legacy WorldThe historical prevalence of
5、the PKCS#11 standard has led to a variety of libraries and shims.Application code needs to directly link and be tested against various libraries on different platforms.The Parsec WorldThe Parsec microservice runs as part of the platform,meaning that application code has only a single component to in
6、teract with.Parsec handles the variety of integrations needed for different platforms and is maintained by an expert community.Requires C language or foreign code layerUse Case:OnboardingPRIVATE KEYCERTIFICATEProvisionEDGE DEVICESERVICEPRIVATE KEYCERTIFICATEEDGE DEVICESERVICEPRIVATE KEYEDGE DEVICESE
7、RVICERegisterCERTIFICATEmTLS123The Private Key is Not Enough?BootRoot of TrustFirmwareOS/ComponentsPrivate Key Owned by Measured/Verified PlatformPrivate Key Owned by Unverified PlatformEndorse,Attest,VerifyVerifier ServiceManufacturingDeviceApplication/Service(Relying Party)endorsedeployattestverif
8、yAny Architecture,Any Deployment,Any PolicyStandardProvisioning Data ModelVerificationAPIPlatform-Agnostic Evidence andVerificationTrusted Platform Module(TPM)PSA Root of TrustRATS Conceptual Messages Wrapper(Common Encapsulation)https:/datatracker.ietf.org/doc/draft-ftbs-rats-msg-wrap/01/Relying Pa
9、rty(Platform-Agnostic)Entity Attestation Token(EAT)Trusted Services(Isolated)CryptoSecure StorageAttestationhttps:/www.psacertified.orgVerifier Service(Platform-Agnostic)TPM 2.0 Cert/Quote StructuresTPM ComponentsCryptoHierarchiesPCRsEVIDENCERESULTSAttested TLShttps:/datatracker.ietf.org/doc/html/dr
10、aft-fossati-tls-attestation-01Client(Attester)Server(Relying Party)Secure ChannelServer CertificateClient RoTClient Private+Attestation Key(s)TLS Stack(eg.MbedTLS)Attestation Evidence(signed)Handshake(Augmented)VerifierPlatform StateVerificationEndorseProvisionSPIRE Node AttestationAgentServerNodeAttesterNodeAttesterparsec-go-clientAny RoTevidenceveraison-go-clientverifyendorseVerifier ServiceLearn More and Get Involved!Attested TLShttps:/ You!Q&A